Merge branch 'master' into mdm-gp-storage-policies

windows/client-management/mdm/bitlocker-csp.md

@@ -6,9 +6,8 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/31/2018
+ms.date: 12/06/2018
 ---
-
 # BitLocker CSP
 
 > [!WARNING]
@@ -795,13 +794,13 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**  
 
-<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
+<p style="margin-left: 20px">Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.</p>
 
 > [!Important]  
-> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices.  Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) for value 0.
+> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
 
 > [!Warning]
-> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
+> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
 
 <table>
 <tr>
@@ -844,6 +843,16 @@ The following diagram shows the BitLocker configuration service provider in tree
 </Replace>
 ```
 
+>[!NOTE]
+>When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
+>
+>The endpoint for a fixed data drive's backup is chosen in the following order:
+  >1. The user's Windows Server Active Directory Domain Services account.
+  >2. The user's Azure Active Directory account.
+  >3. The user's personal OneDrive (MDM/MAM only).
+>
+>Encryption will wait until one of these three locations backs up successfully.
+
 <a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**  
 Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
 
@@ -854,7 +863,7 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol
                      
 If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
 
-The expected values for this policy are: 
+The expected values for this policy are:
 
 - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
 - 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.

windows/client-management/mdm/enterprisemodernappmanagement-csp.md

@@ -80,10 +80,10 @@ Query parameters:
     -   Bundle - returns installed bundle packages.
     -   Framework - returns installed framework packages.
     -   Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle.
-    -   XAP - returns XAP package types.
+    -   XAP - returns XAP package types. This filter is not supported on devices other than Windows Mobile. 
     -   All - returns all package types.
 
-    If no value is specified, the combination of Main, Bundle, Framework, and XAP are returned.
+    If no value is specified, the combination of Main, Bundle, and Framework are returned.
 
 -   PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value.
 

windows/client-management/mdm/index.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: jdeckerms
-ms.date: 09/12/2018
+ms.date: 10/09/2018
 ---
 
 # Mobile device management
@@ -23,12 +23,15 @@ There are two parts to the Windows 10 management component:
 -   The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
 -   The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
 
-Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
 
 ## MDM security baseline
 
 With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
 
+>[!NOTE]
+>Intune support for the MDM security baseline is coming soon.
+
 The MDM security baseline includes policies that cover the following areas:
 
 - Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
@@ -38,7 +41,7 @@ The MDM security baseline includes policies that cover the following areas:
 - Legacy technology policies that offer alternative solutions with modern technology
 - And much more
 
-For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019](https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/).
+For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [MDM Security baseline (Preview) for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip).
 
 
 

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 09/20/2018
+ms.date: 12/06/2018
 ---
 
 # What's new in MDM enrollment and management
@@ -1760,6 +1760,12 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ## Change history in MDM documentation
 
+### December 2018
+
+|New or updated topic | Description|
+|--- | ---|
+|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.|
+
 ### September 2018
 
 |New or updated topic | Description|

windows/client-management/mdm/policy-csp-bluetooth.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/30/2018
+ms.date: 11/15/2018
 ---
 
 # Policy CSP - Bluetooth
@@ -352,15 +352,21 @@ Footnote:
 
 ## ServicesAllowedList usage guide
 
-When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly define Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
+When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
 
-To define which profiles and services are allowed, enter the profile or service Universally Unique Identifiers (UUID) using semicolon delimiter. To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. 
+- Disabling a service shall block incoming and outgoing connections for such services
+- Disabling a service shall not publish an SDP record containing the service being blocked
+- Disabling a service shall not allow SDP to expose a record for a blocked service
+- Disabling a service shall log when a service is blocked for auditing purposes
+- Disabling a service shall take effect upon reload of the stack or system reboot
+
+To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. 
 
 These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID.
 
 Here are some examples:
 
-**Bluetooth Headsets for Voice (HFP)**
+**Example of how to enable Hands Free Profile (HFP)**
 
 BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
 
@@ -370,8 +376,22 @@ BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
 
 Footnote: * Used as both Service Class Identifier and Profile Identifier.
 
-Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB
+Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-0000-1000-8000-00805F9B34FB
 
+**Allow Audio Headsets (Voice)**
+
+|Profile|Reasoning|UUID|
+|-|-|-|
+|HFP (Hands Free Profile)|For voice-enabled headsets|0x111E|
+|Generic Audio Service|Generic audio service|0x1203|
+|Headset Service Class|For older voice-enabled headsets|0x1108|
+|PnP Information|Used to identify devices occasionally|0x1200|
+
+This means that if you only want Bluetooth headsets, the UUIDs to include are:
+
+{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
+
+<!--
 **Allow Audio Headsets only (Voice)**
 
 |Profile  |Reasoning  |UUID  |
@@ -386,38 +406,38 @@ Footnote: * *GAP, DID, and Scan Parameter are required, as these are underlying
 This means that if you only want Bluetooth headsets, the UUIDs are:
 
 {0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+-->
 
 **Allow Audio Headsets and Speakers (Voice & Music)**
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
 |HFP (Hands Free Profile)     |For voice enabled headsets         |0x111E         |
-|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers         |0x110A         |
-|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
-|Device ID (DID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers         |0x110B|         
+|Generic Audio Service|Generic service used by Bluetooth|0x1203|
+|Headset Service Class|For older voice-enabled headsets|0x1108|
+|AV Remote Control Target Service|For controlling audio remotely|0x110C|
+|AV Remote Control Service|For controlling audio remotely|0x110E|
+|AV Remote Control Controller Service|For controlling audio remotely|0x110F|
+|PnP Information|Used to identify devices occasionally|0x1200|
 
-{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; 
 
 **Classic Keyboards and Mice**
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
 |HID (Human Interface Device)     |For classic BR/EDR keyboards and mice         |0x1124         |
-|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
-|DID (Device ID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+|PnP Information|Used to identify devices occasionally|0x1200|
 
-{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};
 
-> [!Note]  
-> For both Classic and LE use a super set of the two formula’s UUIDs
 
 **LE Keyboards and Mice**  
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
-|Generic Access Atribute     |For the LE Protocol         |0x1801         |
+|Generic Access Attribute     |For the LE Protocol         |0x1801         |
 |HID Over GATT *     |For LE keyboards and mice         |0x1812         |
 |GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
 |DID (Device ID)     |Generic service used by Bluetooth         |0x180A         |
@@ -433,10 +453,12 @@ Footnote: * The Surface pen uses the HID over GATT profile
 |---------|---------|---------|
 |OBEX Object Push (OPP)     |For file transfer         |0x1105         |
 |Object Exchange (OBEX)     |Protocol for file transfer         |0x0008         |
-|Generic Access Profile (GAP)     |Generic service used by Bluetooth         |0x1800         |
-|Device ID (DID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
-
-{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+|PnP Information|Used to identify devices occasionally|0x1200|
 
+{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
 
+Disabling file transfer shall have the following effects
+- Fsquirt shall not allow sending of files
+- Fsquirt shall not allow receiving of files
+- Fsquirt shall display error message informing user of policy preventing file transfer
+- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API

windows/client-management/mdm/policy-csp-deviceinstallation.md

@@ -463,10 +463,13 @@ If you disable or do not configure this policy setting, devices can be installed
 
 For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings).
 
-To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu:
+You can get the hardware ID in Device Manager. For example, USB drives are listed under Disk drives:
 
-![Hardware IDs](images/hardware-ids.png)
+![Disk drives](images/device-manager-disk-drives.png)
 
+Right-click the name of the device, click **Properties** > **Details** and select **Hardware Ids** as the **Property**: 
+
+![Hardware IDs](images/disk-drive-hardware-id.png)
 
 <!--/Description-->
 > [!TIP]